Bug 1274196 - RFE: configure iptables rules on overcloud hosts
Summary: RFE: configure iptables rules on overcloud hosts
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-heat-templates
Version: 7.0 (Kilo)
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: 10.0 (Newton)
Assignee: Ben Nemec
QA Contact: Ofer Blaut
URL:
Whiteboard:
: 1284080 (view as bug list)
Depends On:
Blocks: 1305123 1350510
TreeView+ depends on / blocked
 
Reported: 2015-10-22 08:51 UTC by Ofer Blaut
Modified: 2018-05-02 10:36 UTC (History)
13 users (show)

Fixed In Version: openstack-tripleo-heat-templates-5.0.0-1.1.el7ost
Doc Type: Enhancement
Doc Text:
With this update, the iptables firewall on the overcloud controller nodes are enabled to ensure better security. As a result, the necessary ports are opened so that overcloud services will continue to function as before.
Clone Of:
: 1305123 (view as bug list)
Environment:
Last Closed: 2016-12-14 15:16:44 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Priority Status Summary Last Updated
OpenStack gerrit 191195 'None' MERGED Implement Advanced Firewalling support 2020-09-10 01:39:44 UTC
OpenStack gerrit 321833 'None' MERGED Enable firewall by default on the overcloud 2020-09-10 01:39:44 UTC
OpenStack gerrit 330249 'None' MERGED Allow pacemaker ports in firewall 2020-09-10 01:39:44 UTC
OpenStack gerrit 330759 'None' MERGED Stop using deprecated port param in firewall rules 2020-09-10 01:39:44 UTC
OpenStack gerrit 330760 'None' MERGED Allow sahara ports in firewall 2020-09-10 01:39:44 UTC
OpenStack gerrit 383477 'None' MERGED Enable firewalling by default on compute nodes 2020-09-10 01:39:45 UTC
Red Hat Product Errata RHEA-2016:2948 normal SHIPPED_LIVE Red Hat OpenStack Platform 10 enhancement update 2016-12-14 19:55:27 UTC

Description Ofer Blaut 2015-10-22 08:51:18 UTC 
Description of problem:

We should configure iptables rules on ospd overcloud hosts .

upstream patch - https://review.openstack.org/#/c/191195/

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.run sudo iptables  -S  on  controllers/computes/ceph 
2.
3.

Actual results:


Expected results:


Additional info:
Comment 2 Mike Burns 2015-11-23 12:48:53 UTC 
*** Bug 1284080 has been marked as a duplicate of this bug. ***
Comment 3 Dan Sneddon 2016-02-04 15:59:32 UTC 
(In reply to Ofer Blaut from comment #0)
> Description of problem:
> 
> We should configure iptables rules on ospd overcloud hosts .

Perhaps we should use iptables rules on OSPD overcloud hosts, but the stated reason for using iptables here is based on a faulty assumption.

The problem is that the system is accepting route advertisements from the router, and adding a route, even if there is no IP on the interface.

In order to turn this behavior on/off, you can edit /proc/sys/net/ipv6/conf/default/accept_ra to be "0" instead of "1".

You can also turn it on/off on a per-interface basis, e.g.:
echo "1" > /proc/sys/net/ipv6/conf/eth0/accept_ra
Comment 4 Keith Basil 2016-02-05 16:22:55 UTC 
I would accept Dan Sneddon's suggestion as the fix here.  This doesn't seem like we need to take on iptables config work.   And, if we did, the specifications around what we need to solve are not presented here.

I would suggest we open a new BZ to solve for the route advertisement problem specifically.
Comment 8 Mike Burns 2016-04-07 20:54:03 UTC 
This bug did not make the OSP 8.0 release.  It is being deferred to OSP 10.
Comment 10 Emilien Macchi 2016-06-16 19:49:51 UTC 
Ofer, yes, we're still working on it. I did initial work last year and now Ben is working on enabling the feature by default. I updated the list of patches that we need to make this feature really working.
Comment 13 Jaromir Coufal 2016-10-27 08:39:10 UTC 
Ack.
Comment 14 James Slagle 2016-10-27 10:01:05 UTC 
note the fix for the overcloud is in tripleo-heat-templates, not instack-undercloud
Comment 19 errata-xmlrpc 2016-12-14 15:16:44 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2948.html
Comment 20 Amit Ugol 2018-05-02 10:36:21 UTC 
closed, no need for needinfo anymore.
Note You need to log in before you can comment on or make changes to this bug.